On Tue, Feb 1, 2011 at 11:16 AM, Eystein Måløy Stenberg
<[email protected]> wrote:
> Perhaps run it in verbose mode to see if it enters the directories?
> I ran your policy earlier today, and it worked.
> Note that the suspiciousnames list is only matched against regular
> files, not directories/symlinks/etc.
>
> --Eystein
Dear Eystein,
Got it. .mo is a regular file, but cf-agent does not complain about
it on my system. Does it complain about it on yours?
# cat /root/tmp2/.mo
Tue Feb 1 10:51:30 PST 2011
# ls -l /root/tmp2/.mo
-rw-r--r-- 1 root root 29 Feb 1 10:51 /root/tmp2/.mo
#
Here is the verbose output.
community> Initiate variable convergence...
community> -> Immunizing against parental death
community> -> Concidering .mo as suspicious file
community> -> Concidering lrk3 as suspicious file
community> -> Concidering rootkit as suspicious file
community> -> Bundlesequence => {'report_suspicious_file_names'}
community>
community> *****************************************************************
community> BUNDLE report_suspicious_file_names
community> *****************************************************************
community>
community>
community> + Private classes augmented:
community>
community> - Private classes diminished:
community>
community>
community>
community> =========================================================
community> files in bundle report_suspicious_file_names (1)
community> =========================================================
community>
community>
community> .........................................................
community> Promise handle:
community> Promise made by: /root/tmp2
community> .........................................................
community>
community> -> Using literal pathtype for /root/tmp2
community> -> Handling file existence constraints on /root/tmp2
community>
community> + Private classes augmented:
community>
community> - Private classes diminished:
community>
community>
community>
community> =========================================================
community> files in bundle report_suspicious_file_names (2)
community> =========================================================
community>
community>
community> + Private classes augmented:
community>
community> - Private classes diminished:
community>
community>
community>
community> =========================================================
community> files in bundle report_suspicious_file_names (3)
community> =========================================================
community>
community> Outcome of version (not specified): No checks were scheduled
community> Estimated system complexity as touched objects = 1, for 1 promises
community> -> Writing last-seen observations
community> -> Keyring is empty
community> -> No lock purging scheduled
I also ran cf-agent under strace, and cf-agent does not descend into /root/tmp2:
# grep tmp2 strace.out
30394 lstat("/root/tmp2", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
30394 stat("/root/tmp2", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
30394 stat("/root/tmp2", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
#
Again, here is my policy:
body common control
{
bundlesequence => { "report_suspicious_file_names" };
inputs => { "cfengine_stdlib.cf" };
}
body agent control
{
suspiciousnames => { ".mo", "lrk3", "rootkit" };
}
bundle agent report_suspicious_file_names
{
files:
"/root/tmp2"
depth_search => recurse("inf");
}
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
